In ARM, when I want to use a key vault secret that is not a mandatory part of a deployment, I use the following bit of code so that I can pass the secret only when it is being referenced from the parameters passed, or when it is needed to deploy the resource in question (Linux VM with either a password or an SSH key, for instance)
(newlines for better readability):

"[if( empty( parameters( 'resource' ).secretValue.keyVaultName ),
  createObject(
    'value', ''
  ),
  createObject(
    'reference', createObject(
      'keyVault', createObject(
        'id', resourceId(
          parameters( 'resource' ).secretValue.keyVaultSubscriptionId,
          parameters( 'resource' ).secretValue.keyVaultResourceGroup,
          Microsoft.KeyVault/vaults',
          parameters( 'resource' ).secretValue.keyVaultName
        )
      ),
    'secretName', parameters( 'resource' ).secretValue.keyVaultSecretName
    )
  )
)]",

Sadly, Bicep doesn't offer me the same level of flexibility with GetSecret(). It would like to be able to do things like this:

resource secretKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  scope: resourceGroup(resource.secretValue.keyVaultSubscriptionId, resource.secretValue.keyVaultResourceGroup)
  name: resource.secretValue.keyVaultName
}

module subResource 'sub-resource.bicep' = {
  name: 'subResource'
  params: {
    secretValue: !empty(resource.secretValue.keyVaultName) ? secretKeyVault.getSecret(resource.secretValue.keyVaultSecretName) : ''
  }
}

But right now, GetSecret can only be used to directly assign a value to a secureString parameter. So right now I'm stuck creating multiple declarations of modules based on whether or not the secret needs to be passed. Which can balloon quickly when there's multiple optional secrets...